Bugzilla – Attachment 56 Details for
Bug 188
pam_chauthtok() is called too late
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Second version of previous patch - also disables password aging in password userauth
openssh-kbdint-pam.patch2 (text/plain), 5.07 KB, created by
Nicolas Williams
on 2002-03-28 07:27:45 AEDT
(
hide
)
Description:
Second version of previous patch - also disables password aging in password userauth
Filename:
MIME Type:
Creator:
Nicolas Williams
Created:
2002-03-28 07:27:45 AEDT
Size:
5.07 KB
patch
obsolete
>Index: 3_0_2p1_w_gssk5_ubsw_devl.32/session.c >--- 3_0_2p1_w_gssk5_ubsw_devl.32/session.c Thu, 10 Jan 2002 14:22:14 -0500 >+++ 3_0_2p1_w_gssk5_ubsw_devl.34(w)/session.c Wed, 27 Mar 2002 14:58:16 -0500 >@@ -734,17 +734,6 @@ > get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), > (struct sockaddr *)&from); > >-#ifdef USE_PAM >- /* >- * If password change is needed, do it now. >- * This needs to occur before the ~/.hushlogin check. >- */ >- if (is_pam_password_change_required()) { >- print_pam_messages(); >- do_pam_chauthtok(); >- } >-#endif >- > if (check_quietlogin(s, command)) > return; > >Index: 3_0_2p1_w_gssk5_ubsw_devl.32/auth2-pam.c >--- 3_0_2p1_w_gssk5_ubsw_devl.32/auth2-pam.c Wed, 21 Nov 2001 10:38:46 -0500 >+++ 3_0_2p1_w_gssk5_ubsw_devl.34(w)/auth2-pam.c Wed, 27 Mar 2002 10:28:30 -0500 >@@ -42,7 +42,7 @@ > > dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, > &input_userauth_info_response_pam); >- retval = (do_pam_authenticate(0) == PAM_SUCCESS); >+ retval = (do_pam_authenticate(0, 1) == PAM_SUCCESS); > dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); > > return retval; >Index: 3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.h >--- 3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.h Thu, 10 Jan 2002 14:22:14 -0500 >+++ 3_0_2p1_w_gssk5_ubsw_devl.34(w)/auth-pam.h Wed, 27 Mar 2002 14:58:54 -0500 >@@ -9,13 +9,12 @@ > void finish_pam(void); > int auth_pam_password(struct passwd *pw, const char *password); > char **fetch_pam_environment(void); >-int do_pam_authenticate(int flags); >+int do_pam_authenticate(int flags, int can_age_pw_here); > int do_pam_account(char *username, char *remote_user); > void do_pam_session(char *username, const char *ttyname); > void do_pam_setcred(int init); > void print_pam_messages(void); > int is_pam_password_change_required(void); >-void do_pam_chauthtok(void); > void do_pam_set_conv(struct pam_conv *); > int do_pam_putenv(char *, char *); > void message_cat(char **p, const char *a); >Index: 3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.c >--- 3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.c Thu, 10 Jan 2002 14:22:14 -0500 >+++ 3_0_2p1_w_gssk5_ubsw_devl.34(w)/auth-pam.c Wed, 27 Mar 2002 15:11:42 -0500 >@@ -58,6 +58,7 @@ > static int password_change_required = 0; > /* remember whether the last pam_authenticate() succeeded or not */ > static int was_authenticated = 0; >+static int acct_mgmt_retval = -1; > > /* Remember what has been initialised */ > static int session_opened = 0; >@@ -71,10 +72,40 @@ > } > > /* start an authentication run */ >-int do_pam_authenticate(int flags) >+int do_pam_authenticate(int flags, int can_age_pw_here) > { > int retval = pam_authenticate(__pamh, flags); >+ >+ was_authenticated = (retval == PAM_SUCCESS); >+ if (retval != PAM_SUCCESS) >+ return retval; >+ >+ acct_mgmt_retval = pam_acct_mgmt(__pamh, 0); >+ >+ if (acct_mgmt_retval == PAM_SUCCESS) >+ return PAM_SUCCESS; >+ >+ was_authenticated = 0; >+ if (acct_mgmt_retval != PAM_NEW_AUTHTOK_REQD) >+ return acct_mgmt_retval; >+ >+ /* (acct_mgmt_retval == PAM_NEW_AUTHTOK_REQD) */ >+ /* PAM auth token (password) is expired */ >+ >+ /* >+ * USERAUTH_PASSWORD_CHANGEREQ is not currently >+ * supported. Password aged users using password >+ * userauth are thrown out here. >+ */ >+ if (!can_age_pw_here) >+ return PAM_NEW_AUTHTOK_REQD; >+ >+ debug("do_pam_authenticate() - doing password aging"); >+ retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); > was_authenticated = (retval == PAM_SUCCESS); >+ if (retval == PAM_SUCCESS) >+ acct_mgmt_retval = PAM_SUCCESS; >+ > return retval; > } > >@@ -218,7 +249,8 @@ > > pamstate = INITIAL_LOGIN; > pam_retval = do_pam_authenticate( >- options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); >+ options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0, >+ 0); > if (pam_retval == PAM_SUCCESS) { > debug("PAM Password authentication accepted for " > "user \"%.100s\"", pw->pw_name); >@@ -246,7 +278,11 @@ > PAM_STRERROR(__pamh, pam_retval)); > } > >- pam_retval = pam_acct_mgmt(__pamh, 0); >+ /* do_pam_authenticate() may have called pam_acct_mgmt() already */ >+ pam_retval = acct_mgmt_retval; >+ if (pam_retval == -1) >+ pam_retval = pam_acct_mgmt(__pamh, 0); >+ > switch (pam_retval) { > case PAM_SUCCESS: > /* This is what we want */ >@@ -255,6 +291,7 @@ > message_cat(&__pam_msg, NEW_AUTHTOK_MSG); > /* flag that password change is necessary */ > password_change_required = 1; >+ return(0); /* Sorry, no TTY password aging */ > break; > default: > log("PAM rejected by account configuration[%d]: " >@@ -314,27 +351,6 @@ > int is_pam_password_change_required(void) > { > return password_change_required; >-} >- >-/* >- * Have user change authentication token if pam_acct_mgmt() indicated >- * it was expired. This needs to be called after an interactive >- * session is established and the user's pty is connected to >- * stdin/stout/stderr. >- */ >-void do_pam_chauthtok(void) >-{ >- int pam_retval; >- >- do_pam_set_conv(&conv); >- >- if (password_change_required) { >- pamstate = OTHER; >- pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); >- if (pam_retval != PAM_SUCCESS) >- fatal("PAM pam_chauthtok failed[%d]: %.200s", >- pam_retval, PAM_STRERROR(__pamh, pam_retval)); >- } > } > > /* Cleanly shutdown PAM */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 188
:
55
| 56